---
title: "Policies (OPA)"
---

Digger supports granular policy-as-code governance via Open Policy Agent (OPA). You can specify policies at project as well as organisation level.

There are 2 types of policies in Digger:

- Plan policies
- Access policies

# Plan policies

With plan policies you can check `terraform plan` output for compliance with your internal guidelines, for example limiting the kinds of resources that can be provisioned in a particular environment or team. Plan policy is checked after every plan, and before every apply.

# Access policies

With access policies you can control which Digger operations are allowed at any given time based on various inputs. Access policy is checked before every plan and apply and is passed the following data:

- user id (from github)
- plan policy violations, if any
- list of users who approved the PR

This way you can implement custom logic, for example allowing to apply a PR that has policy violations in case certain users approved it.

# Ways to configure policies

In Digger there are 3 ways to use OPA policies:

- via Management Repo
- via (unofficial) Orchestrator API
- inline via Conftest


## Management repository

OPA policies can be stored in a dedicated repository ([example](https://github.com/diggerhq/mgmt-repo-one/tree/main/policies)) that is separate from repositories that it controls
In this management repo, policies can be structured using 3 levels:

- organisation level (applies to all repos and projects)
- repo level (applies to all project within a specific repo; overrides org-level)
- project level (applies only to specific project; overrides repo-level and org-level)

## Inline policies via custom commands
The most basic way to use OPA policies with Digger is via [custom commands](/ce/howto/using-opa-conftest) - you can have a script that downloads policies from your storage of choice, and then invoke Conftest CLI directly as a custom workflow step in Digger. This is also a free feature of Digger Community Edition.
The most basic way use OPA policies with Digger is via [custom commands](/ce/howto/using-opa-conftest) - you can have a script that downloads policies from your storage of choice, and then invoke Conftest CLI directly as a custom workflow step in Digger. This is also a free feature of Digger Community Edition.
